These Terms of Use & Non-Disclosure Agreement (these “Terms”) constitute a legally binding agreement between MB DK Cyber Solutions, a private limited liability company established under the laws of the Republic of Lithuania (“Company,” “we,” “us,” or “V-Formation”), and the individual or entity accessing or using the Platform (“Researcher,” “you,” or “User”).
By accessing the V-Formation security testing platform (the “Platform”), creating an account, or participating in any bug bounty, vulnerability disclosure, or security testing program (each, a “Program”), you agree to be bound by these Terms.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the Company.
“Confidential Information” means all non-public information disclosed by the Company or its Customers to the Researcher, including but not limited to vulnerability reports, Proof of Concept (PoC) exploits, system architecture, source code, API keys, customer lists, and internal communications.
“Customer” means the third-party entity or organization that has authorized the Company to host a Program regarding their assets.
“Submission” means any vulnerability report, data, text, or other material provided by the Researcher to the Company regarding a Program.
2.1 Acceptance
By registering for an account or submitting a report, you expressly acknowledge that you have read, understood, and agree to these Terms.
2.2 Scope
These Terms apply to your use of the Platform and participation in all current and future Programs. In the event of a conflict between these Terms and a specific Program’s policy (“Program Brief”), the Program Brief shall prevail solely with respect to the scope of testing and rewards for that specific Program.
3.1 Eligibility:
To participate, you must:
Be at least 18 years of age (or the age of majority in your jurisdiction).
Not be a resident of, or located in, any country subject to sanctions by the United Nations, European Union, or the United States (e.g., OFAC lists).
Not appear on any Denied Persons List or similar government watchlists.
3.2 Account Security
You are responsible for maintaining the confidentiality of your account credentials. You agree to notify the Company immediately of any unauthorized use of your account.
4.1 Obligations
You agree to hold all Confidential Information in strict confidence. You shall not disclose, copy, publish, transmit, or otherwise make available any Confidential Information to any third party without the Company’s prior written consent.
4.2 Use of Information
You may use Confidential Information solely for the purpose of identifying and reporting security vulnerabilities via the Platform in accordance with these Terms.
4.3 Exclusions
Confidential Information does not include information that: (a) is or becomes publicly known through no breach of these Terms; (b) was lawfully known to you prior to disclosure; or (c) is independently developed by you without use of the Confidential Information.
4.4 Data Destruction
Upon the earlier of (a) the conclusion of your participation in a Program, (b) a request by the Company, or (c) the resolution of a report, you must permanently delete all locally stored Confidential Information (including logs, screenshots, and source code).
5.1 authorized Conduct
The Company grants you limited, revocable authorization to access specific assets explicitly defined as "In Scope" in the applicable Program Brief, provided such access is for the sole purpose of security testing in compliance with these Terms.
5.2 Safe Harbor:
Legal Action: We will not pursue civil legal action against you for security research activities that are consistent with these Terms and the applicable Program Brief.
Third Parties: If a third party initiates legal action against you and you have complied with these Terms, we will take reasonable steps to make it known that your actions were conducted in compliance with our authorization.
5.3 Prohibited Activities
Unless explicitly authorized in a Program Brief, you strictly prohibited from:
Executing Denial of Service (DoS/DDoS) attacks.
Accessing, modifying, or destroying data belonging to other users.
Performing physical security testing or social engineering (e.g., phishing).
Using automated scanners that degrade system performance.
Retaining access to a system after a vulnerability is proven (i.e., installing backdoors).
6.1 Reporting
All vulnerabilities must be reported exclusively through the Platform.
6.2 Embargo
You agree not to publicly disclose any details of a vulnerability without the express written consent of the Company and the relevant Customer.
6.3 Disclosure Timeline
Public disclosure is generally prohibited. However, disclosure may be permitted upon mutual agreement between you, the Company, and the Customer. Unauthorized public disclosure constitutes a material breach of these Terms and may result in immediate account termination and legal action.
7.1 Discretion
Bounties and rewards are awarded at the sole discretion of the Company and the Customer. Generally, only the first valid, verified report of a unique vulnerability is eligible for a reward.
7.2 Payment Terms:
Payments are denominated in EUR.
You are responsible for providing accurate tax and payment information.
Payments are processed only after the vulnerability has been validated and the Customer has authorized the payout.
Taxes: You are solely responsible for all applicable taxes regarding the rewards you receive. The Company will not withhold taxes unless required by Lithuanian law.
8.1 Researcher IP
You retain ownership of any independent tools or methodologies you use during testing.
8.2 License Grant
By submitting a vulnerability report, you grant the Company and the applicable Customer a perpetual, irrevocable, worldwide, royalty-free, non-exclusive license to use, reproduce, modify, and analyze the Submission for the purpose of remediating the vulnerability and improving security.
8.3 Platform IP
The V-Formation Platform, including its code, design, and trademarks, is the exclusive property of the Company.
9.1 Data Processing
We process your personal data in accordance with our Privacy Policy and the General Data Protection Regulation (GDPR).
9.2 Incidental Access
If you inadvertently access Personal Data (PII) during testing, you must: (a) cease testing immediately; (b) not save or copy the data; and (c) report the incident immediately via the Platform.
10.1 Disclaimer
THE PLATFORM AND PROGRAMS ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND.
10.2 Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE COMPANY SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THESE TERMS. THE COMPANY'S TOTAL LIABILITY SHALL NOT EXCEED THE TOTAL AMOUNT OF BOUNTIES PAID TO YOU IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM.
You agree to indemnify, defend, and hold harmless the Company, its Affiliates, and Customers from any claims, liabilities, damages, or expenses (including legal fees) arising from your breach of these Terms, your violation of any law, or your infringement of any third-party rights.
12.1 Termination
The Company reserves the right to suspend or terminate your access to the Platform at any time, for any reason, with or without notice.
12.2 Effect
Upon termination, your right to use the Platform ceases immediately. Sections 4 (Confidentiality), 8 (Intellectual Property), 10 (Liability), and 11 (Indemnification) shall survive termination.
These Terms are governed by the laws of the Republic of Lithuania. Any dispute arising out of or relating to these Terms shall be settled exclusively by the competent courts located in Vilnius, Lithuania.
14.1 Relationship
You are an independent contractor. Nothing in these Terms creates an employment, agency, or partnership relationship.
14.2 Entire Agreement
These Terms constitute the entire agreement between the parties.
14.3 Contact
For legal inquiries, contact: [email protected]
Address: Girulių g. 10-201, LT-12112 Vilnius, Lithuania.